Created by MITRE in 2013, the ATT&CK framework serves to document attacker tactics and techniques from real-world observation in an attempt to solve problems. Open and available to everyone, the framework encourages that security organizations and vendors map their capabilities to the techniques and tactics in this framework in order to improve our collective cyber defence capabilities.
It is now widely recognized as an authority on understanding the behaviours and techniques of the world’s most dangerous cyber threat actors – But what is it exactly?
Read on below to find out:
MITRE ATT&CK – A Breakdown:
Successful threat detection typically requires that an organization have a deep understanding of the most common techniques and tactics used by threat actors, as this ultimately allows defenders to prioritize which ones post the greatest threat to your organization.
Unfortunately, the sheer volume and breadth of tactics available to attackers means that it would be nearly impossible for any single organization to map out and catalogue each one, let alone defend against each one adequately.
This is where MITRE ATT&CK framework comes in – A knowledge base that indexes and breaks down in detail the exact steps and methods that hackers use, which ultimately allows security teams to understand the actions required to protect themselves.
MITRE ATT&CK Matrix:
Since it’s inception in 2013, the ATT&CK framework has since been split into three different versions:
- Enterprise: Windows, Mac, Linux
- Mobile: Android, iOS
- Pre ATT&CK: Prepatory Techniques
The enterprise version of the ATT&CK Matrix has 14 different tactics:
- Resource Development
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command & Control
For each of these tactics, the MITRE framework lays out the set of techniques used by malware and threat actors. Currently, there are about 185 techniques and 367 sub-techniques, with more being added continuously. Each of these allows defenders to better understand how to defend against different tactics used by threat actors.
Why is ATT&CK Relevant to your Organization?
Mapping and cataloguing every single technique used by threat actors is a monumental task, which begs the question – What is the point? The ATT&CK Framework is widely recognized as an authority on understanding behaviours and technique. This ultimately removes ambituiy and provides a common vocabulary for industry professionals to discuss and collaborate.
Additionally, there are also many practical applications that the ATT&CK Framework provides, including:
- Prioritize Detection Based off Your Organization’s Unique Environment: Preparing for every attack vector is impossible. This framework allows teams to determine where to focus their detection efforts.
- Evaluating Current Defenses: The ATT&CK framework can serve as a great tool for evaluating the depth of coverage around key attack techniques, as it clearly defines which threats are a priority for an organization. This in turn allows security teams to check how their current coverage stacks up.
- Tracking The Latest Threats: The ATT&CK framework is not a static document and will continue to track specific adversary group behaviours. Ultimately it is a useful source of truth for understanding the movements of hacker groups and the techniques they use.
Stratejm & Mitre ATT&CK
Stratejm’s security team is always participating in MITRE ATT&CK discussions and events, with extensive experience on performing machine learning-based anomaly detection in our arsenal. We highly recommend that every organization incorporates this framework, and are happy to help those who need it.
Contact us today for a consultation to find out how we can help map your security practices against the MITRE ATT&CK Framework.